As Congress weighs cyber law, Internet protests resume

A new round of Internet protests is under way in opposition to cybersecurity legislation before Congress that would open communications lines between the public and private sectors on security.

The protests against the Cyber Intelligence Sharing and Protection Act (CISPA) aren’t at the level of the Jan. 18 Internet blackouts that toppled the Stop Online Piracy Act, but the core dispute is the same: opponents say the bill threatens freedom of expression and privacy, while supporters say it is necessary to national cybersecurity and to protecting intellectual property.

The House Intelligence Committee approved the bill, co-sponsored by Reps. Mike Rogers (R-Mich.) and C.A. “Dutch” Ruppersberger (D-Md.) and supported by Facebook, Microsoft and some other leading technology companies, in December, but the legislation could undergo some changes before reaching the full House.

A coalition including the Center for Democracy and Technology, the Electronic Frontier Foundation and Reporters Without Borders has launched a Twitter protest, encouraging followers to use the #CongressTMI and #CISPA hashtags in tweets to lawmakers, and is organizing a letter-writing campaign.

“Freedom of expression and the protection of online privacy are increasingly under threat in democratic countries, where a series of bills and draft laws is sacrificing them in the interests of national security or copyright,” Reporters Without Borders said in announcing the protest. “A blanket monitoring system is never an appropriate solution. Reporters Without Borders opposes CISPA and asks Congress to reject this legislation.”

The protest, dubbed “Stop Cyber Spying Week,” so far is considerably lower profile than the protest in January against SOPA, then in the House, the Protect IP Act in the Senate, when thousands of websites and blogs went dark and Congress abandoned the bills. In February, protests in Europe also derailed the Anti-Counterfeiting Trade Agreement, an international anti-piracy treaty that had been in the works since 2006.

The biggest objections to SOPA and PIPA were over provisions that would require Internet service providers and search engines to block traffic to overseas sites selling counterfeit goods, or redirect traffic away from them. That censorship of traffic drew opposition from open-Internet advocacy groups, as well as security groups pushing to secure the Domain Name System with DNS Security Extensions, which are designed to prevent the redirecting of traffic.

CISPA doesn’t include provisions to block or redirect traffic, however, which is one reason Facebook, which opposed SOPA and PIPA, has given for its support. In a recent blog post, Joel Kaplan, the company’s vice president for U.S. Public Policy, also touted the bill’s security and privacy provisions.

The bills “would make it easier for Facebook and other companies to receive critical threat data from the U.S. government…and ensures that if we do share data about specific cyber threats, we are able to continue to safeguard our users’ private information.”

Opponents, however, say the bill is too broadly written and would put the Defense Department’s National Security Agency in charge of cybersecurity.

CISPA “uses dangerously vague language to define the breadth of data that can be shared with the government,” Reporters Without Borders’ statement said, adding that it “allows data shared with the government to be used for purposes unrelated to cybersecurity.”

The issue of whether NSA or the civilian Homeland Security Department should be charge of protecting the nation’s critical infrastructure has been a bone of contention in Congress.

Sen. Joseph Lieberman (I-Conn.) has introduced the comprehensive Cybersecurity Act of 2012 (S. 2105), which would give DHS the lead role in overseeing minimum security requirements for privately owned critical infrastructure. Sen. John McCain (R-Ariz.), however, has criticized DHS’ performance and introduced a competing bill, the Secure IT Act (S. 2151), which includes no role for DHS and no requirements for protecting private infrastructure.